Increasingly, cyber security and other standards are requiring risk management as a foundation. Consider a few examples.

  • ISO 27001 is firmly grounded in risk management as the basis for implementing appropriate information security controls.
  • PCI-DSS requires that a risk assessment process be implemented, and that risk assessments be performed at least annually and upon significant changes.
  • The NIST framework is based on risk management and NIST have developed SP800-30, SP800-37 and SP800-39 to assist.
  • GDPR requires a data protection impact assessment and risk assessment.
  • HIPPA requires a risk assessment be performed against Personal Health Information.
  • The Cloud Security Alliance (CSA) requires that risk assessments associated with data governance requirements be conducted at planned intervals.
  • In 2018, the Australian Government’s Information Security Manual (ISM) underwent significant changes, with the biggest being a move towards a risk-based focus.

Observations

Clearly, risk management is such a vital component of maintaining cyber security compliance. However, and as with all aspects of compliance, there is a danger that risk management may become another tick-in-the-box exercise. Although this is a arguably a better outcome than not practising risk management at all, it also represents a missed opportunity.

Effective risk management equips senior management to make sound decisions in allocating resources to protect organisations and their assets. This point is summarised in the NIST Framework for Improving Critical Infrastructure Cybersecurity in describing an organisation that practices adaptive risk management:

“Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance. Business units implement executive vision and analyze system-level risks in the context of the organizational risk tolerances. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities and continuous awareness of activities on their systems and networks. The organization can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated.”

Many organisations struggle to include meaningful cyber security risks in their corporate risk registers. Often, all that is included are generic risks that are difficult to quantify and measure. Sadly, this scenario does not equip senior management to make sound decisions.

Challenges

  • Does your organisation rush to update the risk assessment a couple of weeks before your annual compliance audit, chasing risk owners to implement risk mitigations?
  • Do you manage risk assessments in a spreadsheet that risk owners can’t update?
  • If you outsource risk management, do you start from scratch each time you engage a new consultant, because they either user their own tools, or don’t trust the previous consultant?
  • Are your risk assessments consistent and repeatable?
  • How effectively do you report information security risks to executives and the board?
  • Quite likely, your risk management procedure requires regular (maybe monthly) reporting on high risks. Does your organisation comply with this requirement?

Recommendations

Ensure you have a formal cyber security risk management process, preferably based on your organisation’s enterprise risk management process. This will simplify the process of reporting information security risks and incorporating them into the corporate risk register. And it will ensure that executives understand cyber security risk ratings.

Consider using a risk management tool that can readily be shared with all stakeholders. This will help move cyber security risk management from a mostly static, annual activity, to continuous practice. Give stakeholders the ability to manage their own risks in the risk register. Provide senior management with a cyber security risk dashboard.

Due to the sensitivity of the information in your cyber security risk register, ensure that the tool you choose provides appropriate security (you don’t want your dirty laundry aired in public).

Yours in security,

David Begg

SECTARA Head of Cybersecurity
IRAP Assessor

 

About SECTARA

SECTARA is a premier security risk assessment and management platform, ideal for both consultants and corporate security managers. There are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base.

We look forward to seeing you on SECTARA!